`Woodhill
`
`111111
`
`1111111111111111111111111111111111111111111111111111111111111
`US006934858B2
`
`(10) Patent No.:
`(45) Date of Patent:
`
`US 6,934,858 B2
`Aug. 23,2005
`
`(54) SYSTEM AND METHOD OF USING THE
`PUBLIC SWITCHED TELEPHONE
`NETWORK IN PROVIDING
`AUTHENTICATION OR AUTHORIZATION
`FOR ONLINE TRANSACTIONS
`
`(75)
`
`Inventor:
`
`James R. Woodhill, Houston, TX (US)
`
`(73) Assignee: Authentify, Inc., Chicago, IL (US)
`
`( *) Notice:
`
`Subject to any disclaimer, the term of this
`patent is extended or adjusted under 35
`U.S.C. 154(b) by 914 days.
`
`(21) Appl. No.: 09/737,254
`
`(22) Filed:
`
`Dec. 13, 2000
`
`(65)
`
`Prior Publication Data
`
`US 2002/0004831 A1 Jan. 10, 2002
`
`Related U.S. Application Data
`( 60) Provisional application No. 60/170,808, filed on Dec. 15,
`1999.
`
`Int. Cl? .................................................. H04L 9/32
`(51)
`(52) U.S. Cl. ....................................................... 713/201
`(58) Field of Search ................................. 713/200-202,
`713/186; 379/88.01, 88.02; 340/5.84
`
`(56)
`
`References Cited
`
`U.S. PATENT DOCUMENTS
`5,995,606 A * 11/1999 Civanlar et a!.
`....... 379/207.13
`6,012,144 A * 1!2000 Pickett ....................... 713/201
`6,044,471 A
`3/2000 Colvin
`7/2000 Jalili
`6,088,683 A
`12/2000 Padgett et a!. .............. 713/186
`6,167,518 A
`1!2001 Aucsmith et a!. ............. 380/30
`6,175,626 B1
`
`6,574,599 B1 * 6/2003 Lim et a!. ................... 704/270
`
`OTHER PUBLICATIONS
`
`Copy of the International Search Report mailed Mar. 23,
`2001 for the PCT counterpart application of the above-iden(cid:173)
`tified application.
`* cited by examiner
`Primary Examiner-Matthew Smithers
`(74) Attorney, Agent, or Firm-Welsh & Katz, Ltd.
`
`(57)
`
`ABSTRACT
`
`An authentication or authorization system to facilitate elec(cid:173)
`tronic transactions uses simultaneous or substantially simul(cid:173)
`taneous communications on two different networks to verify
`a user's identity. When a user logs onto a site, via the
`internet, a telephone number, either pre-stored or obtained in
`real time from the visitor, where the visitor can be called
`essentially immediately is used to set up, via the switched
`telephone network another communication link. Where the
`user has multiple communication links available, the tele(cid:173)
`phone call is automatically placed via the authentication or
`authorization software simultaneously while the user is
`on-line. In the event that the user has only a single commu(cid:173)
`nication link, that individual will have to log off temporarily
`for purposes of receiving the telephone call. Confirmatory
`information is provided via the internet to the user. The
`automatically placed telephone call requests that the user
`feed back this confirmatory information for verification
`purposes. The telephone number which is being called is
`adjacent to the user's internet terminal. The user's response,
`via the telephone network, can be compared to the originally
`transmitted confirmatory information to determine whether
`the authentication or authorization process should go for(cid:173)
`ward.
`
`59 Claims, 18 Drawing Sheets
`
`SYSTEM
`
`26
`
`SITE
`VISITOR
`
`DISPLAY
`
`TELEPHONE
`
`R
`
`TWILIO INC. Ex. 1010 Page 1
`
`
`
`FIG. 1
`SYSTEM
`
`.¥)0
`
`26
`
`COMPUTER
`
`SITE
`VISITOR
`
`DISPLAY
`
`V~LEPHONE r;JjJ{
`
`16
`
`14
`
`44
`
`PUBLIC SWITCHED
`TELEPHONE NETWORK
`
`36
`
`AUTHENTICATION/
`AUTHORZATION
`SERVICE
`
`p
`
`TRANSACTION
`RECORDS
`
`D
`
`32
`
`R
`
`d •
`\Jl
`•
`~
`~ ......
`~ = ......
`
`> = ~
`
`N
`~~
`
`N c c
`
`Ul
`
`'JJ. =(cid:173)~
`~ .....
`'"""' 0 ......,
`'"""' 00
`
`e
`rJ'l
`-..a-..
`~
`~
`Oo
`(It
`00
`~
`N
`
`TWILIO INC. Ex. 1010 Page 2
`
`
`
`AN OVERVIEW OF THE PROCESS
`
`100
`
`~
`
`102
`THE SITE VISITOR
`ENTERS THE TARGET
`SITE.
`
`104
`THE VISITOR REGISTERS
`ON THE TARGET SITE'S
`EXISTING REGISTRATION
`PAGE.
`
`FIG. 2
`
`FIG.2A
`
`I
`I
`I
`I
`I
`I
`
`FIG.2B
`
`106
`THE TARGET SITE
`CONFIRMS A PHONE
`NUMBER FOR THE
`VISITOR:
`
`• THE TARGET SITE
`MIGHT ASK THE VISITOR
`IF A PHONE NUMBER
`STORED IN ITS SITE
`VISITOR RECORDS IS
`CORREG;OR
`
`• ASK THE VISITOR TO
`TYPE IN A PHONE
`NUMBER.
`
`FIG. 2A
`
`:
`.. .IS TEMPORARILY TRANSPORTED TO THE SERVER,:
`WHICH PLACES AN AUTOMATED PHONE CALL...
`1
`I
`I
`I
`I
`I
`I
`I
`I
`I
`I
`I
`I
`I
`I
`I
`I
`I
`I
`I
`I
`
`108
`THE AUTHENTICATION/ AUTHORIZATION
`SERVER (HEREAFTER, "THE SERVER")
`ASSUMES CONTROL OF THE VISITOR'S BROWSER
`AND ASKS THE VISITOR IF A CALL CAN BE PLACED
`TO THE PHONE NUMBER WHILE THE VISITOR
`IS ONLINE.
`
`• IF THE VISITOR ANSWERS "YES," THE
`ONLINE SESSION CONTINUES. THE
`SERVER DISPLAYS A CONFIRMATION
`NUMBER ONSCREEN.
`
`• IF THE VISITOR ANSWERS "NO," THE SERVER:
`
`• DISPLAYS A CONFIRMATION NUMBER
`ONSCREEN, AS WELL AS THE URL OF A
`"FINISH REGISTRATION" WEB PAGE;
`
`• TELLS THE VISITOR TO TAKE NOTE OF BOTHE
`THE CONFIRMATION NUMBER AND THE URL ;THEN
`
`.
`I
`:
`I
`I
`I
`•I NSTRUCTS THE VISITOR TO DISCONNECT FROM I
`THEINTERNET
`:
`
`d •
`\Jl
`•
`~
`~ ......
`~ = ......
`
`~
`~
`N
`~~
`
`N c c
`
`Ul
`
`'JJ. =(cid:173)~
`~ .....
`N
`0 ......,
`"""" 00
`
`e
`\Jl
`_,.a-..
`~
`~
`Oo
`(It
`00
`~
`N
`
`TWILIO INC. Ex. 1010 Page 3
`
`
`
`FIG. 28
`
`d •
`\Jl
`•
`~
`~ ......
`~ = ......
`
`110
`THE SERVER CALLS THE VISITOR ON THE PHONE:
`
`• AN AUTOMATED CALL FIRST CONFIRMS THAT THE
`CALL RECIPIENT IS THE VISITOR AND IS
`EXPECTING THE CALL
`
`• AN AUTOMATED CALL THEN ASKS THE VISITOR
`TO TYPE THE CONFIRMATION NUMBER
`DISPLAYED IN THE ONLINE SESSION.
`
`112
`OPTIONALLY, AN AUTOMATED CALL CAN TELL THE
`VISITOR TO SPEAK INTO THE PHONE, SO THAT THE
`SERVER CAN MAKE ONE OR MORE DIGITAL VOICE
`RECORDINGS. IN A STANDARD IMPLEMENTATION,
`THE AUTOMATED CALL MIGHT REQUEST UP TO TWO
`DISTINCT VOICE RECORDINGS, SUCH AS THE
`VISITOR RECITING HIS OR HER NAME, AND THEN
`RECITING AN AGREEMENT TO TERMS.
`
`• VISITORS WHO REMAINED ONLINE DURING THE
`CALL CAN THEN HANG UP THE PHONE.
`
`• VISITORS WHO HAD TO DISCONNECT FROM THE
`INTERNET ARE REMINDED TO RETURN TO THE
`"FINISH REGISTRATION" WEB PAGE AFTER
`HANGING UP.
`
`114
`THE TARGET SITE REGAINS CONTROL OF THE
`VISITOR'S BROWSER AND RECEIVES A RESPONSE
`FROM THE SERVER DESCRIBING THE AUTOMATED
`TELEPHONE SESSION.
`
`BASED ON THE SUCCESS OR FAILURE CODES IN
`THE SERVER RESPONSE, THE TARGET SITE DECIDES
`WHETHER THE VISITOR HAS SATISFIED THE
`REQUIREMENTS FOR REGISTRATION.
`
`> = ~
`
`N
`~
`
`~
`
`N c c
`
`Ul
`
`'JJ. =(cid:173)~
`
`~
`~
`0 ......,
`'"""' 00
`
`e
`
`rJ'l
`0'1
`
`~
`~
`Oo
`(It
`00
`~
`N
`
`TWILIO INC. Ex. 1010 Page 4
`
`
`
`30'
`
`CREDENTIAL
`ISSUING
`SITE
`
`R'
`
`SITE VISITOR
`RECORDS
`
`38'
`
`P'
`
`FIG. 3
`
`REGISTRATION SYSTEM
`/
`
`10'
`
`TRANSACTION
`RECORDS
`
`44
`
`PUBLIC SWITCHED
`TELEPHONE NETWORK
`
`SITE
`VISITOR
`
`d •
`\Jl
`•
`~
`~ ......
`~ = ......
`
`~
`~
`N
`~~
`
`N c c
`
`Ul
`
`'JJ. =(cid:173)~
`~ .....
`
`~
`0 ......,
`'"""' 00
`
`e
`rJ'l
`-..a-..
`~
`~
`Oo
`(It
`00
`~
`N
`
`TWILIO INC. Ex. 1010 Page 5
`
`
`
`FIG. 4
`
`F!l\'ontes
`
`Iools
`
`r:- f<Jtt
`~~~
`l:fe_.
`'IJ1111
`. 9
`. ® @) at 1 ~ m G 1 ~· ~
`4-
`Slop
`Refresh
`Sac.<
`F¢1W3rd
`~ AQdrassli'l httpJ/xyz.authentify.com'lndex.asp
`
`Home
`
`Seerch Favontes HIStory
`
`Mal
`
`Pnnt
`
`t§j
`Edrt
`
`. i1
`
`Discuss
`
`XYZ jtlnancial
`
`Octobera.zooo
`Brinaina insiaht and lntslliaence to aiobal investments
`I INSURANCE I PAY BILLS
`
`PERSONAL FINANCE
`
`c~ OP£HANACCOIJNT J
`
`D AllcutXYlF1nanaal
`D C<r1tac!Us
`os-m
`0 Terms & Cond!llons
`0 Pnvacy Statement
`
`Bank Qnj1ne at
`XYZ F1nanca11 com
`
`.@)Done
`
`@Internet
`
`d •
`\Jl
`•
`~
`~ ......
`~ = ......
`
`~
`~
`N
`~~
`
`N c c
`
`Ul
`
`'JJ. =(cid:173)~
`~ .....
`Ul
`0 ......,
`'"""' 00
`
`e
`rJ'l
`-..a-..
`~
`~
`Oo
`(It
`00
`~
`N
`
`TWILIO INC. Ex. 1010 Page 6
`
`
`
`FIG. 5
`
`lilmlliiEI;liiD:~ntl!llii!1'E
`Iools
`fdit Yiew
`Favontes
`. ® @l
`Back
`Refresh
`Stop
`Search Favoo\e$
`Home
`fuward
`~ /14dress@ http~lxyz.au\hen~fy.com'regtslrabon-form-hlm.asp
`
`Ble
`
`*" . ={>
`
`jjelp
`
`tit I @
`
`L!J G I ~- ~ ~
`
`liSlory
`
`t.la>\
`
`
`Edit
`
`0 About "i:fZ F·nmn::~al
`0 More imm XYZ Flfi311Cial
`0 \nvestmert Awmnts
`0 RebrementAc<:ounts
`0 XYZ Ftnanaet A<N!S<n
`0 Contact Us
`
`Registration
`
`(ffi08ACK)
`
`' Denotes required fields
`
`• Last .~arne
`
`Matting Address
`
`· -
`
`Ctly
`I
`
`Ztp Code
`
`CJ
`
`State
`
`I ~ -c:J
`
`Country
`
`[\Tntted States FJ
`
`( SUBMIT )
`
`( CANCEL)
`
`( RESET )
`
`~
`
`DISC\JSS
`
`d •
`\Jl
`•
`~
`~ ......
`~ = ......
`
`~
`~
`N
`~~
`
`N c c
`
`Ul
`
`'JJ. =(cid:173)~
`~ .....
`0'1
`0 .....,
`'""" 00
`
`e
`rJ'l
`-..a-..
`~
`-..~
`00
`(It
`00
`~
`N
`
`TWILIO INC. Ex. 1010 Page 7
`
`
`
`FIG. 6
`
`IoaiS
`
`J:lelp
`
`<F.<>.® [I ~ ~ r!l G I~- ~ IS1
`forward
`Bacll
`Slop
`Refresh
`~ A!ldress 1@1 http://xyz.authonbfy.comlphone.asp
`
`Home
`
`Search Favorites Hlstll!)'
`
`Maj
`
`Pmt
`
`Edit
`
`~
`Discuss
`
`0 About XYZ F1nanaal
`0 t.be from 'l:fZ Fmanaal
`0 lrMlstmont Aoooun"
`D Rellnlmonl Aoooun"
`0 XYZflnan<iaiA<M"""
`D C<>~actUo
`
`Choose Phone Number
`
`(FEEDBACK)
`
`To ensure the secunty of our customer accounts, "t:(Z finanaal Will
`place a phone call to the registrant to confirm some personal
`informa!Jon. Th1s phone call wtll be made dunng this registration
`process, therefore we would like to know whioh phone number 1s
`avaiable for you in the next few minutes to receive an automated
`call. II the only phone available is currently be1ng used for your
`Internet access, please select this phone number and follow the
`prompls on the lolla.ving page
`
`Choose the phone number where XYZ F1r.anw~l Serv1ces ciln reach you, then Cllcl
`Cont1nue
`
`0 Work Phone
`
`(847) 298·'''8 ext. 235
`
`0 Other Phone
`
`Country cocte
`
`I UNITED STATES
`§] I
`
`Area Code Phone nJmber
`
`Go:::=J
`I [::=J
`
`E.xtens1on
`
`(CONTINUE)
`
`(CANCEL)
`
`.@) Done
`
`@Internet
`
`d •
`\Jl
`•
`~
`~ ......
`~ = ......
`
`~
`~
`N
`~~
`
`N c c
`
`Ul
`
`'JJ. =(cid:173)~
`~ .....
`-..J
`0 ......,
`'"""' 00
`
`e
`\Jl
`-..a-..
`~
`-..~
`00
`(It
`00
`~
`N
`
`TWILIO INC. Ex. 1010 Page 8
`
`
`
`FIG. 7
`
`~ ltlttrrJ/aloha;authentih<a,.,mltsolidlre!]isler/ch
`~ file
`loa~ Hell
`'!lPN
`
`fdll
`
`Favooles
`
`I *" . c!>
`
`. @
`BaCk
`Stop
`Refresll
`Forward
`~ A!ldress I~ httpJ/aiJha.authan~ly.corrltsolid/reglstoo'choosa1.asp
`
`@') ~ I s! F~s H~rf I ~j- ~ 1Sl
`
`tCfliS!1 I' ntemetcS.J11orer- -
`
`Pnnt
`
`Edit
`
`.
`
`~
`Discuss
`
`_ onx1
`~~
`
`l•J @Go II Lnks »
`
`' -
`
`d •
`\Jl
`•
`~
`~ ......
`~ = ......
`
`~
`~
`N
`~~
`
`N c c
`
`Ul
`
`'JJ. =(cid:173)~
`~ .....
`00
`0 .....,
`'""" 00
`
`e
`rJ'l
`_,.a-..
`~
`~
`Oo
`(It
`00
`~
`N
`
`XYZ Jtinancial
`
`INVEST I PERSONAL FINANCE
`
`I INSURANCE I PAY BILLS
`
`Before we call. ..
`
`-
`
`~
`
`Todetennmethebestwaytocallyouat(847) 29s-•••s ext. 235,pleaseanswerthe
`following question, then dick Continue.
`
`-
`
`Can you talk on (64 7) 298- .. '8 ext. 235whlle connQC!ed to the
`Internet?
`
`OYes
`o No
`
`CONTINUE
`
`-
`
`CANCEL
`
`...
`
`ol!) Done
`
`Jl JL Jl© Internet
`
`.
`
`TWILIO INC. Ex. 1010 Page 9
`
`
`
`FIG. 8
`
`file
`
`fM
`
`l/ie'N
`
`faYOnle!
`
`Iools
`
`l::!e~
`
`q.. . S> . ® @j Qr I ~ L!J G I ~-
`Back
`Stop
`Forward
`Kame
`Search Favortes History
`Refresh
`~ Mdrcss j@) http~/alpha.aulllenllfl.com'1Solilllreglsterlchoose2.asp
`
`~ 61
`Pnnt
`Edrt
`
`. ~
`
`DISCUSS
`
`Maj
`
`XYZ ltlnanclal
`
`Before we call...
`
`If the follOWing statement is correct, click Call Me Nowland we'll call you Immediately
`If Incorrect, click Repeat Question
`
`I can personally answer telephone calls placed to
`(847) 29&-•••a ext. 235
`at 1he same time my computer is connected to the 1ntemet and I can read
`1nlormat1on displayed on my compute~s screen wh1le using lhe telephone.
`
`REPEAT QUESTION
`
`~Done
`
`@Internet
`
`d •
`\Jl
`•
`~
`~ ......
`~ = ......
`
`~
`~
`N
`~~
`
`N c c
`
`Ul
`
`'JJ. =(cid:173)~
`~ .....
`'0
`0 ......,
`"""" 00
`
`e
`rJ'l
`_,.a-..
`~
`-..~
`00
`(It
`00
`~
`N
`
`TWILIO INC. Ex. 1010 Page 10
`
`
`
`FIG. 9
`
`Eile Edit
`4=
`Bad<
`~~ress
`
`lliew
`
`Favorit&s
`
`Iools
`
`lielp
`
`• ® @) ~ I @
`
`S'>
`Search Favontes History
`Home
`Refresh
`Stop
`FOIWartl
`http11alpha.authentify.com·lsolitlregisterlregr!ler-mmmonlframe.asp
`
`(!] G I ~- ~
`
`Mal
`
`Pri1t
`
`~
`Edit
`
`.J§l
`Discuss
`
`~
`
`XYZ ltinancial
`
`Please wait for our call ...
`
`During the call, you will be asked to enter lhe following confirmation numberJ,··
`into yoor telephone.
`I
`Confiratlon Number. 2 0 9 2
`
`Do not use this web browser unlil your call is finished
`
`'
`
`)
`
`{)Done
`
`d •
`\Jl
`•
`~
`~ ......
`~ = ......
`
`~
`~
`N
`~~
`
`N c c
`
`Ul
`
`'JJ. =(cid:173)~
`~ .....
`'"""' c
`0 ......,
`'"""' 00
`
`e
`rJ'l
`-..a-..
`~
`-..~
`00
`(It
`00
`~
`N
`
`TWILIO INC. Ex. 1010 Page 11
`
`
`
`FIG. 10
`
`.Edit
`
`'ilew Favontes
`
`J:je~
`
`--MicrgsQflclnleme~lore
`~ Eie
`Iools
`4=> . c:>
`
`i ~
`
`Refresn
`FoiWI!rd
`Seard1 Favontes History
`HOOle
`Back
`Stop
`~ A!idress 1~1 http://alpha.autllenbly.comtsolidlregisterlr@!lister-aJmmonlframe.asp
`
`. ® @J at I ~ w G I~·
`
`XYZ I financial
`I
`
`Listen carefully to your telephone ...
`
`Do not use this web browser until your call Is finished
`
`- ·-·-
`
`@)Done
`
`J[ Jl Jl© lnterret
`
`'-;-
`
`A
`
`Mad
`
`~ ts] . ~
`
`Pnnt
`
`Edit
`
`Discuss
`
`I;Q
`
`L ·J ~Go li Links »
`1-
`
`d •
`\Jl
`•
`~
`~ ......
`~ = ......
`
`~
`~
`N
`~~
`
`N c c
`
`Ul
`
`'JJ. =(cid:173)~
`~ .....
`'"""'
`'"""' 0 ......,
`'"""' 00
`
`e
`rJ'l
`_,.a-..
`~
`~
`Oo
`(It
`00
`~
`N
`
`TWILIO INC. Ex. 1010 Page 12
`
`
`
`[g ~ I ~ m G 1 ~· ~ ~.1!1
`
`Search Favootes Htstory
`
`Maj
`
`
`Edtl
`
`Discuss
`
`FIG. 11
`
`FJI'I()ntes
`
`c:::(>
`FoiWard
`
`®
`
`Slap
`
`Refresh
`
`Home
`
`.rtjl:IF.nl!e!li~S:2WIXY£-e011>Ztes"ltlkf~ln:ilsp:::Mier.osof8l'itemet:Ei<plo'
`Ed~ 'JJf!./1
`file
`Iools
`Jielp
`4-
`Back
`~ ~ress
`
`hUp~/209.242.36.232/xyz-corp/results.fronrauth.asp
`
`Congratulations!
`You have completed the final step 1n the reg~stratton process for
`y;yz FinanCial. Below IS your llser 10 and Password that Will
`enable you to do all your banking online, 24 hours a day!
`
`ll38517
`UseriD:
`Password: P45977
`
`If you expenence any difficulties tn accessmg your account. please
`contact Customer Serv1ce at 555-555-5555.
`
`We urge you to observe the folloWing QU1del1nes to protect you
`aga1nst online fraud:
`Do not gtve out your account 1nformat10n, llser ID or Password
`to anyone.
`Never send pr1vueged account 1nformat1on v1a public or general e(cid:173)
`mail system.
`Never leave your PC unattended while you are online WI!~ XYZ
`Financial.
`
`(coNTIHUE)
`
`0 Abool XYZ F~nanaal
`0 More fro111 XYZ Ftnanoal
`0 Investment Acrounts
`0 Rel.remBnt Accounts
`0 XYZ F1rlai'IC1al A:Msor1
`0 ConlactlJs
`
`.[)Done
`
`~
`
`d •
`\Jl
`•
`~
`~ ......
`~ = ......
`
`~
`~
`N
`~~
`
`N c c
`
`Ul
`
`'JJ. =(cid:173)~
`~ ......
`'""" N
`0 ......,
`'""" 00
`
`e
`\Jl
`-..a-..
`~
`-..~
`00
`(It
`00
`~
`N
`
`TWILIO INC. Ex. 1010 Page 13
`
`
`
`FIG. 12
`
`q:.
`Back
`~ A.JtJress
`
`iansrifi~Rteme~or--
`
`~~
`
`X
`
`'/Jew
`
`fliVOnles
`
`Iools
`
`J:jelp
`
`={)
`FoiWsrd
`
`. ® @j ~I S~h
`
`Refrash
`Slop
`http://apha.authentJfy.corrltsoidllllQLSter/choose3.asp
`
`1'!1 G I~- ~
`
`Fa110ntas HISiory
`
`
`Pmt
`
`l9 . I§]
`
`Edit
`
`Discuss
`
`XYZ Jtl nancial
`
`Before we call ...
`
`If the fuUow1ng statement .s oorrect, click Continue.
`If incorrect. click Repeat Question.
`
`To personally answer a telephone call placed to
`(847) 298 .... 8 ext. 235
`I must first disconnect my computer from the Internet
`
`REPEAT QUESTION
`
`CANCEL
`
`Done
`
`d •
`\Jl
`•
`~
`~ ......
`~ = ......
`
`~
`~
`N
`~~
`
`N c c
`
`Ul
`
`'JJ. =(cid:173)~
`~ .....
`"""" ~
`0 .....,
`"""" 00
`
`e
`\Jl
`-..a-..
`~
`-..~
`00
`(It
`00
`~
`N
`
`TWILIO INC. Ex. 1010 Page 14
`
`
`
`FIG. 13
`
`Yiew
`Favontes
`c0.®
`
`Stop
`FOtWard
`http11alpha.aut'lentity.coll'ltscjidlreglsteildelay1.asp
`
`~
`Bac/c
`~ Mdress
`
`XYZ /financial
`
`w G I~- @
`
`Favontss History
`
`Mall
`
`
`tS!.~
`Ed~
`
`DISCUSS
`
`1
`
`Before we call ...
`
`After you wde down your confirmation number, d1ck Contlnue.
`
`Please wnte down the folloWing conlirmauon number now.
`You'll need rt when we call.
`
`Confirma\lonNumber. 2825
`
`~
`
`.[)Done
`
`d •
`\Jl
`•
`~
`~ ......
`~ = ......
`
`~
`~
`N
`~~
`
`N c c
`
`Ul
`
`'JJ. =(cid:173)~
`~ ....
`"""" ~
`0 .....,
`"""" 00
`
`e
`rJ'l
`_,.a-..
`~
`~
`Oo
`(It
`00
`~
`N
`
`TWILIO INC. Ex. 1010 Page 15
`
`
`
`FIG. 14
`
`#!·L~~hll;;l~~~~ster/dela~r"$!!1~1nternet·i>xpl"r!ll' -
`ll Ble
`lliew
`Echt
`Ioo!s
`llelp
`Favontes
`. o={>
`~ 4-
`Slop
`Retresh
`Forward
`Back
`~ AQdress I@) http://alpha.aulhentJ!y.con'l1soiKI/11!giSterfdelay2.asp
`
`. ® @J ~ I S~h F~s H~~ I ~d· ~ K§]
`
`Pnnt
`
`Edit
`
`.
`
`~
`
`DISCUSS
`
`XYZ 'financial
`I
`
`I
`
`Before we call ...
`
`After you wnte down the folloWlng address, dick Continue.
`
`~
`
`_ rmx
`~~
`
`l•J ~Go Jfl Links » .
`
`After the call to complete your regiStration you ml:sl rewnnecl your computer t~ the
`lntemet, then pomt your web browser to the followmg address:
`www. fi nishregistration .com
`
`You may also click~ to Md the address to your browser's Favor.tes l1st.
`
`CONTINUE
`
`CANCEL
`
`I
`
`I
`
`I
`
`f:l Done
`
`101
`
`II© Internet
`
`t-:-
`___ _____,2
`
`d •
`\Jl
`•
`~
`~ ......
`~ = ......
`
`~
`~
`N
`~~
`
`N c c
`
`Ul
`
`'JJ. =(cid:173)~
`~ ......
`'"""' Ul
`0 ......,
`'"""' 00
`
`e
`\Jl
`-..a-..
`~
`~
`Oo
`(It
`00
`~
`N
`
`TWILIO INC. Ex. 1010 Page 16
`
`
`
`FIG. 15
`
`~
`Back
`H "4dress
`
`ooikJ/reg•sterldelay~IEMi<:rosoltlnlernetoll,xlllru§E::~
`Iool• Help
`
`@j ~ l @ w G I~·
`
`Refresh Home
`
`Search Favontes History
`
`Ma1l
`
`<>.®
`
`Fofllflrd
`
`Slop
`
`hllp~/a\pha.aulhenfify.com'tsolldlragiSior/delay3.asp
`
`XYZ /tinancial
`
`Before we call ...
`
`After )00 selec: a delay, click Continue.
`
`Please teP us when to call y()IJ. Allow for enough time lo diSCOnnect your computer
`from the Internet.
`
`Call me at (847)298-"'8 ext. 235 in about 11 m1nute
`
`l:J
`
`·~ ""'
`
`Done
`
`~
`Pnnl
`
`!S1.§l
`o.scuss
`E<lil
`
`I
`
`d •
`\Jl
`•
`~
`~ ......
`~ = ......
`
`~
`~
`N
`~~
`
`N c c
`
`Ul
`
`'JJ. =(cid:173)~
`~ .....
`"""" 0'1
`0 .....,
`"""" 00
`
`e
`rJ'l
`-..a-..
`~
`-..~
`00
`(It
`00
`~
`N
`
`TWILIO INC. Ex. 1010 Page 17
`
`
`
`FIG. 16
`
`~~ultienll#iliOmftsolr<!LregiSterld&I~P:::MiGro&Gft:IRtefm!t~ffix~
`~file fiN
`Favorites
`lllO!s
`
`.tie.~>
`
`.i')ow
`. ® @J
`ci>
`~ ~ ~
`Back
`Forward
`Refresh
`Stop
`, ~ A;!Qress 1£.1 http:llalpha.aulhenbfy.corrltsolrdlregrslerldelay4.asp
`
`,@e I Se~ F~es H~~ I ~.~ ~ ~ .
`
`Pml
`
`Edrl
`
`!51
`
`DISCUSS
`
`.lofix
`II~
`
`l•l ~Go m Lrn<s "
`~
`
`I
`
`:I XYZifinml~l
`
`I
`
`We're almost finished!
`
`To receNe our call, you must click the Call Me In 1 .Wnutel bvllon below, then wait for our
`confirmation page to display on your browser.
`
`-- =
`
`Here's the rnformabon you should have wri~en down:
`• Your confirmatron number: 2 a 2 5
`• After the call, po1nl your web brawse1
`to www.flnishragistration.com
`
`Cf<Ll ME IH 1 MINUTE
`
`CHANGE DELf<Y
`
`Cf<NCEL
`
`I
`
`I
`
`I
`
`I
`
`I
`
`~Done __
`
`..
`
`II
`
`11 11© nlerne\
`
`t-;
`
`d •
`\Jl
`•
`~
`~ ......
`~ = ......
`
`~
`~
`N
`~~
`
`N c c
`
`Ul
`
`'JJ. =(cid:173)~
`~ ....
`""""
`-..J
`0 .....,
`"""" 00
`
`e
`\Jl
`-..a-..
`~
`~
`Oo
`(It
`00
`~
`N
`
`TWILIO INC. Ex. 1010 Page 18
`
`
`
`FIG. 17
`
`~JII.lll
`~ Els Edit
`4=
`<=(>
`Relresl1
`Slop
`Back
`FO<Ward
`U Adaress ~ hllp:/lalpha.authentify.comtsoildlregistar/delay-staltasp
`
`'{jew
`
`~
`
`~
`
`~Y:'<>tart.aS!E'MIC~ntemet!OxP.tare'
`Iools
`FavO<rtes
`
`J1elp
`
`v ® @J ~ I Se~ Fa~cs H~ I ~~~
`
`XYZ !financial
`I
`
`Thank You!
`
`Wewillcallyouat(847) 298-'"8 e~t. 235 inabout1Minutel
`
`Please disconnect your computer from the ln:emet, then wart for our call.
`
`_ D~X
`
`Hfl
`
`l •J ~Go m l.nks "
`~
`
`~ IS!
`Edrt
`Pnnt
`
`v ~
`
`DISCUSS
`
`~
`
`d •
`\Jl
`•
`~
`~ ......
`~ = ......
`
`~
`~
`N
`~~
`
`N c c
`
`Ul
`
`'JJ. =(cid:173)~
`~ .....
`'""" 00
`0 .....,
`'""" 00
`
`e
`rJ'l
`_,.a-..
`~
`-..~
`00
`(It
`00
`~
`N
`
`ftlp()11§_ - - - - - - -
`
`- -
`
`/1
`
`II
`
`/1© Internet
`
`~
`
`~
`
`TWILIO INC. Ex. 1010 Page 19
`
`
`
`US 6,934,858 B2
`
`1
`SYSTEM AND METHOD OF USING THE
`PUBLIC SWITCHED TELEPHONE
`NETWORK IN PROVIDING
`AUTHENTICATION OR AUTHORIZATION
`FOR ONLINE TRANSACTIONS
`
`The benefit of a Dec. 15, 1999 filing date for Provisional
`Patent Application Ser. No. 60/170,808 is hereby claimed.
`
`FIELD OF THE INVENTION
`
`This invention relates generally to Internet security. More
`particularly, this invention relates to the method of attempt(cid:173)
`ing to verify the identity of an Internet user.
`
`BACKGROUND OF INVENTION
`
`The internet offers the prospect of expanded, world-wide
`commerce, e-commerce, with potentially lower cost to pur(cid:173)
`chasers than heretofore possible. However, the lack of direct
`person-to-person contact has created its own set of prob(cid:173)
`lems. Identity theft is a problem threatening the growth of
`e-commerce.
`E-commerce growth will only occur if there is a trusted
`and reliable security infrastructure in place. It is imperative
`that the identity of site visitors be verified before granting
`them access to any online application that requires trust and
`security. According to the National Fraud Center, its study of
`identity theft "led it to the inescapable conclusion that the
`only realistic broad-based solution to identity theft is
`through authentication." Identity Theft: Authentication As A
`Solution, page 10, nationalfraud.com.
`In order to "authenticate" an entity, one must:
`1) identify the entity as a "known" entity;
`2) verify that the identity being asserted by the entity is its
`true identity; and,
`3) provide an audit trail, which memorializes the reasons for
`trusting the identity of the entity.
`In the physical world, much of the perceived security of
`systems relies on physical presence. Traditionally, in order
`to open a bank account, an applicant must physically appear
`at a bank branch, assert an identity, fill out forms, provide
`signatures on signature cards, etc. It is customary for the
`bank to request of the applicant that they provide one or
`more forms of identification. This is the bank's way of
`verifying the applicant's asserted identity. If the bank
`accepts, for instance, a driver's license in accepting as a
`form of identification, then the bank is actually relying on
`the processing integrity of the systems of the state agency
`that issued the driver's license that the applicant is who
`he/she has asserted themselves to be.
`The audit trail that the bank maintains includes all of the
`forms that may have been filled out (including signature
`cards), copies of important documents (such as the driver's
`license), and perhaps a photo taken for identification pur(cid:173)
`poses. This process highlights the reliance that a trusted
`identification and authentication process has on physical
`presence.
`In the electronic world, the scenario would be much
`different. An applicant would appear at the registration web
`site for the bank, enter information asserting an identity and 60
`click a button to continue the process. With this type of
`registration, the only audit trail the bank would have is that
`an entity from a certain IP address appeared at the web site
`and entered certain information. The entity may actually
`have been an automated device. The IP address that initiated 65
`the transaction is most likely a dynamically-assigned
`address that was issued from a pool of available addresses.
`
`2
`In short, the bank really has no assurance of the true identity
`of the entity that registered for the account.
`To resolve this issue, many providers of electronic com(cid:173)
`merce sites have begun to rely on mechanisms that do not
`5 happen as part of the actual electronic transaction to help
`provide assurance that the transaction is authentic. These
`mechanisms are generally referred to as "out-of-band"
`mechanisms. The most frequently used out-of-band authen(cid:173)
`tication mechanism is sending the end user a piece of mail
`10 via the United States Postal Service or other similar delivery
`services. The piece of mail sent to the end user will contain
`some piece of information that the site requires the end user
`to possess before proceeding with the registration.
`By sending something (e.g., a PIN number) through the
`15 mail, and then requiring the end user to utilize that piece of
`information to "continue" on the web site, the provider of
`the site is relying on the deterrent effects of being forced to
`receive a piece of mail at a location, including but not
`limited to, the federal laws that are intended to prevent mail
`20 fraud. The primary drawback of using the mail is that it is
`slow. In addition, there is no audit trail. In this day and age
`of the Internet, waiting "7-10 days" for a mail package to
`arrive is not ideal for the consumer or the e-commerce site.
`An authentication factor is anything that can be used to
`25 verify that someone is who he or she purports to be.
`Authentication factors are generally grouped into three
`general categories: something you know, something you
`have, and something you are.
`A "something you know" is a piece of information which
`30 alone, or taken in combination with other pieces of
`information, should be known only by the entity in question
`or those whom the entity in question should trust. Examples
`are a password, mother's maiden name, account number,
`PIN, etc. This type of authentication factor is also referred
`35 to as a "shared secret".
`A shared secret is only effective if it is maintained in a
`confidential fashion. Unfortunately, shared secrets are often
`too easy to determine. First, the shared secret is too often
`derived from information that is relatively broadly available
`40 (Social Security Number, account number). Second, it is
`difficult for a human being to maintain a secret that someone
`else really wants. If someone really wants information from
`you, they may go to great lengths to get it, either by asking
`you or those around you, directly or indirectly, or by
`45 determining the information from others that may know it.
`A "something you have" is any physical token which
`supports the premise of an entity's identity. Examples are
`keys, swipe cards, and smart cards. Physical tokens gener(cid:173)
`ally require some out-of-band mechanism to actually deliver
`50 the token. Usually, some type of physical presence is nec(cid:173)
`essary (e.g., an employee appearing in the human resources
`office to pick up and sign for keys to the building.)
`Physical tokens provide the added benefit of not being
`"socially engineer-able", meaning that without the physical
`55 token, any amount of information known to a disreputable
`party is of no use without the token. A trusted party must
`issue the token in a trusted manner.
`A "something you are" is some feature of a person that
`can be measured and used to uniquely identify an individual
`within a population. Examples are fingerprints, retina
`patterns, and voiceprints. Biometric capabilities offer the
`greatest form of identity authentication available. They
`require some type of physical presence and they are able to
`depict unique characteristics of a person that are exceedingly
`difficult to spoof.
`Unfortunately, biometric devices are not yet totally
`reliable, and the hardware to support biometrics is expensive
`
`TWILIO INC. Ex. 1010 Page 20
`
`
`
`US 6,934,858 B2
`
`4
`firmly on the ability to process transactions rapidly. Too
`many people simply never finish the process.
`Moreover, there is a limited audit trail to refer to in the
`event of a dispute regarding the use of the security
`credential. A signature (another type of biometric)
`could be required, but that triples the delay until the
`PIN is returned. Organizations are seeing large number
`of potential customers not returning to close a transac(cid:173)
`tion after these delays.
`Table I summarizes characteristics of the known authen(cid:173)
`tication processes.
`
`TABLE I
`
`Authentication Processes
`
`Physical
`Presence
`
`
`Shared
`Secrets
`
`,/
`,/
`
`,/
`
`,/
`,/
`
`,/
`
`,/
`
`,/
`,/
`,/
`
`,/
`,/
`
`Characteristics
`
`Automated
`Easily Scalable
`Auditable
`Can use biometrics
`Has legal protections
`Occurs in real time,
`therefore tends to retain
`customers
`Deters fraud
`Protects private data
`
`3
`and not yet broadly deployed. Some biometric technology in
`use today also relies on an electronic "image" of the bio(cid:173)
`metric to compare against. If this electronic image is ever
`compromised, then the use of that biometric as identity
`becomes compromised. This becomes a serious problem 5
`based on the limited number of biometrics available today.
`More importantly, biometrics cannot be utilized to deter(cid:173)
`mine an individual's identity in the first instance.
`A security infrastructure is only as strong as its underlying
`trust model. For example, a security infrastructure premised 10
`upon security credentials can only address the problems of
`fraud and identity theft if the security credentials are initially
`distributed to the correct persons.
`First-time registration and the initial issuance of security
`credentials, therefore, are the crux of any security infrastruc- 15
`ture; without a trusted tool for initially verifying identity, a
`security infrastructure completely fails. The National Fraud
`Center explicitly noted this problem at page 9 of its report:
`"There are various levels of security used to protect the
`identities of the [security credential] owners. However, the 20
`known security limitation is the process utilized to deter(cid:173)
`mine that the person obtaining the [security credential] is
`truly that person. The only known means of making this
`determination is through the process of authentication."
`In any security model, the distribution of security creden- 25
`tials faces the same problem: how to verify a person's
`identity over the anonymous Internet. There are three known
`methods for attempting to verify a site visitor's identity. The
`three current methods are summarized below:
`Solution A: an organization requires the physical presence 30
`of a user for authentication. While the user is present,
`a physical biometric could be collected for later use
`(fingerprint, voice sample, etc.). The problem with the
`physical presence model is that it is extremely difficult
`and costly for a company to require that all of its
`employees, partners, and customers present themselves
`physically in order to receive an electronic security
`credential. This model gets more difficult and more
`expensive as it scales to a large number of users.
`Solution B: a company identifies and authenticates an 40
`individual based on a shared secret that the two parties
`have previously agreed upon. The problem with the
`shared secret model is that it in itself creates a serious
`security problem: shared secrets can easily be compro(cid:173)
`mised. Since the shared secret is relatively easy to 45
`obtain, this security model suffers from serious fraud
`rates. Use of an electronic copy of a specific biometric
`like a thumbprint could be used as a shared secret. But
`once it is compromised, one cannot reissue a new
`thumbprint and there is a limited set of others to choose 50
`from.
`Solution C: a company relies on communication of a
`shared secret through the postal service. This process
`begins when the user registers at a web site and enters
`uniquely identifying information. A personal identifi(cid:173)
`cation number (PIN) is then sent to the user at a postal
`mailing address (assuming the identifying information
`is correct). The user must receive the PIN in the mail,
`return to the web site and re-register to enter the PIN.
`The postal service is used because it is a trusted
`network; there is some assurance of delivery to the
`expected party and there are legal implications for
`breach of the network. A large flaw with this method is
`the built-in delay of days, even weeks, before the user
`receives the PIN. This mode of authentication is too
`slow by today's business standards; the potential of the
`Internet to transform the structure of commerce rests
`
`Known solutions do not enable organizations to distribute
`efficiently and securely electronic security credentials. There
`continues to be a need for improved authentication or
`authorizing methods. Preferably such improvements could
`be realized without creating substantial additional complex(cid:173)
`ity for a visitor to a site. It would also be preferable if such
`methods did not slow down the pace of the interaction or
`35 transaction.
`
`SUMMARY OF THE INVENTION
`An automated system uses a publicly available commu(cid:173)
`nications network, such as the Public Switched Telephone
`Network (PSTN), wire line or wireless, to provide a real(cid:173)
`time, interactive and largely self-service mechanism to aide
`in authentication (identity verification) and authorization
`(acceptance by a verified identity) for electronic transac(cid:173)
`tions. Actions are coordinated between an electronic net(cid:173)
`work (the Internet) and the Public Switched Telephone
`Network.
`This coordination of an active Internet session with an
`active PSTN session can be used as a tool for verification.
`In one embodiment, it can be used to create an audit trait for
`any individual electro